Signal-desktop is the standalone desktop version of the secure Signal messenger. This software is vulnerable to remote code execution from a malicious contact, by sending a specially crafted message containing HTML code that is injected into the chat windows (Cross-site scripting).

Vulnerable Packages:

Signal-desktop messenger v1.7.1

Signal-desktop messenger v1.8.0

Signal-desktop messenger v1.9.0

Signal-desktop messenger v1.10.0

Originally found in v1.9.0 and v1.10.0, but after reviewing the source code the aforementioned are the impacted versions.

Solution/Vendor Information/Workaround

Upgrade to Signal-desktop messenger v1.10.1 or v1.11.0-beta.3
For safer communications on desktop systems, please consider the use of a safer end-point client like PGP or GnuPG instead.

While discussing a XSS vulnerability on a website using the Signal-desktop messenger, it was found that the messenger software also displayed a code-injection vulnerability while parsing the affected URLs.

The Signal-desktop software fails to sanitize specific html-encoded HTML tags that can be used to inject HTML code into remote chat windows. Specifically the <img> and <iframe> tags can be used to include remote or local resources.

For example, the use of iframes enables full code execution, allowing an attacker to download/upload files, information, etc. The <script> tag was also found injectable.

In the Windows operative system, the CSP fails to prevent remote inclusion of resources via the SMB protocol. In this case, remote execution of JavaScript can be achieved by referencing the script in a SMB share as the source of an iframe tag, for example: <iframe src=\\DESKTOP-XXXXX\Temp\test.html>. The included JavaScript code is then executed automatically, without any interaction needed from the user. The vulnerability can be triggered in the signal-desktop client by sending a specially crafted message.